2008-12-05

屏蔽Indy Library的方法

Posted in Apache, 网络安全, FreeBSD/Unix服务器 at 15:32 Author:仲远

标签:

我想如果一个网站管理员有空的时候看看自己的网站访问日志,是原始日志那种的,不是统计数据的,一定会感到触目惊心的!因为有太多太多不怀好意的连接与访问。通常情况下,这些连接和访问都没有成功,因此没有造成太大的损失。但是一旦他们成功,就会造成很严重的后果。

例如,下面是截取的一段网站访问的日志:

202.96.180.147 - - [05/Dec/2008:15:01:03 +0800] “GET /showtb.asp?id=80 HTTP/1.1″ 404 10159 “-” “Mozilla/3.0 (compatible; Indy Library)”
202.96.180.147 - - [05/Dec/2008:15:01:11 +0800] “POST / HTTP/1.0″ 200 38305 “http://www.wangzhongyuan.com/archives/80.html” “Mozilla/3.0 (compatible; Indy Library)”
219.131.237.77 - - [05/Dec/2008:15:02:46 +0800] “GET /showtb.asp?id=285 HTTP/1.1″ 404 9957 “-” “Mozilla/3.0 (compatible; Indy Library)”
219.131.237.77 - - [05/Dec/2008:15:02:52 +0800] “POST / HTTP/1.0″ 200 38422 “http://www.wangzhongyuan.com/archives/285.html” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:03:32 +0800] “GET /showtb.asp?id=424 HTTP/1.1″ 404 9996 “-” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:03:36 +0800] “POST / HTTP/1.0″ 200 38226 “http://www.wangzhongyuan.com/archives/424.html” “Mozilla/3.0 (compatible; Indy Library)”
220.189.55.228 - - [05/Dec/2008:15:04:23 +0800] “GET /showtb.asp?id=160 HTTP/1.1″ 404 9779 “-” “Mozilla/3.0 (compatible; Indy Library)”
220.189.55.228 - - [05/Dec/2008:15:04:26 +0800] “POST / HTTP/1.0″ 200 38539 “http://www.wangzhongyuan.com/archives/160.html” “Mozilla/3.0 (compatible; Indy Library)”
58.212.131.137 - - [05/Dec/2008:15:07:41 +0800] “GET /showtb.asp?id=62 HTTP/1.1″ 404 9999 “-” “Mozilla/3.0 (compatible; Indy Library)”
58.212.131.137 - - [05/Dec/2008:15:07:43 +0800] “POST / HTTP/1.0″ 200 38378 “http://www.wangzhongyuan.com/archives/62.html” “Mozilla/3.0 (compatible; Indy Library)”
222.247.84.154 - - [05/Dec/2008:15:11:56 +0800] “GET /showtb.asp?id=62 HTTP/1.1″ 404 9904 “-” “Mozilla/3.0 (compatible; Indy Library)”
222.247.84.154 - - [05/Dec/2008:15:11:58 +0800] “POST / HTTP/1.0″ 200 38450 “http://www.wangzhongyuan.com/archives/62.html” “Mozilla/3.0 (compatible; Indy Library)”
59.50.54.222 - - [05/Dec/2008:15:13:03 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9924 “-” “Mozilla/3.0 (compatible; Indy Library)”
59.50.54.222 - - [05/Dec/2008:15:13:04 +0800] “POST / HTTP/1.0″ 200 38377 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:14:25 +0800] “GET /showtb.asp?id=426 HTTP/1.1″ 404 10028 “-” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:14:31 +0800] “POST / HTTP/1.0″ 200 38466 “http://www.wangzhongyuan.com/archives/426.html” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:21:55 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9912 “-” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:21:56 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9967 “-” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:22:03 +0800] “POST / HTTP/1.0″ 200 38474 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:22:02 +0800] “POST / HTTP/1.0″ 200 38486 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
119.114.144.169 - - [05/Dec/2008:15:22:43 +0800] “GET /showtb.asp?id=369 HTTP/1.1″ 404 9916 “-” “Mozilla/3.0 (compatible; Indy Library)”
119.114.144.169 - - [05/Dec/2008:15:22:50 +0800] “POST / HTTP/1.0″ 200 38535 “http://www.wangzhongyuan.com/archives/369.html” “Mozilla/3.0 (compatible; Indy Library)”

可以看到,这个User-Agent表明为Indy Library的“家伙”进行了许许多多次的恶意访问,而且经常Post一些数据过来。而且这个“家伙”还会伪装自己,IP还各不相同,通过简单封锁IP的方法,显然是不能够奏效的。

经过网上查找,发现Indy Library最初是一个关于网络操作的开源程序库,不过这个程序库被强制破解并被滥用于一些中国的spam bots中。近期所见使用“Indy Library”字串作为User Agent信息的访问,大多是这些中国“原创作品”。也就是说,这个“家伙”很可能是一个自动发送垃圾广告的程序。

将其屏蔽掉的方法有两种:
(1)修改.htaccess文件

SetEnvIfNoCase User-Agent “Indy Library” bad_bot
Order Allow,Deny
Allow from all
Deny from env=bad_bot

改后系统访问日志,所有的访问都返回403, 机器人或许会没完没了地访问同一个页面

(2)修改网站代码, 返回空的访问

例如

if( “Mozilla/3.0 (compatible; Indy Library)” == $user_agent)
{
    exit();
}

这样服务器会主动的返回200的状态,但是不返回任何的内容

本文可以自由转载,转载时请保留全文并注明出处:
转载自仲子说 [ http://www.wangzhongyuan.com/ ]
原文链接:

Leave a Comment

*
To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.
Click to hear an audio file of the anti-spam word